From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51CA9C83F1A for ; Fri, 11 Jul 2025 00:20:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 932016B009A; Thu, 10 Jul 2025 20:20:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8E3266B009B; Thu, 10 Jul 2025 20:20:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8201E6B009D; Thu, 10 Jul 2025 20:20:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 71EA56B009A for ; Thu, 10 Jul 2025 20:20:00 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id D76B3C0C2D for ; Fri, 11 Jul 2025 00:19:59 +0000 (UTC) X-FDA: 83650076118.11.87FE8EC Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf08.hostedemail.com (Postfix) with ESMTP id 3DD0B160002 for ; Fri, 11 Jul 2025 00:19:58 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="Weh/yhwS"; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf08.hostedemail.com: domain of alx@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=alx@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752193198; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7anj020mL6gxQRjluBn5RQ282qTmpp0hZCMqhCUti+I=; b=UUIhkP2PWUGTXZVnfFyAHeroTM0/sxjSOEQdj6DkByn/jsZPUblOLsXuoCUOzuVxJhM4Tk XB7huLF7lok6zBXPw3oyAoKVPQbA9gWcxAzycfFqLtWJPJkxwZUqVQ2p7fjhRvHUm8n4z6 X853Gyf+YzzWfXyJS0MmM5v+bvQAJ0A= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="Weh/yhwS"; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf08.hostedemail.com: domain of alx@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=alx@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752193198; a=rsa-sha256; cv=none; b=MdqSKq4EZugSm8j4VEm5eXf+/SerxdZ1RGy02lOxZ2wOUFNQfs08wBNvOHbhj3IoEKTAcA ZCF96XnyslMpj5X1zHJp/d1XCBtMBZVCG0AqpRK/3xeYUzWqkkVvSoWkJ6BJfRc0VHS4E3 Lp6bHa7kHYfYKRGe+8TPwAik9jceiz8= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 48307614A6; Fri, 11 Jul 2025 00:19:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 26BA0C4CEE3; Fri, 11 Jul 2025 00:19:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752193196; bh=1shRO2dWNJiXv423vpJrUSqInLmf3e/NaLD48gCYbY0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Weh/yhwSrgdfK/NY77C9CrZIuRWrOj+X1YSebmEEEAujIMSV+TJ2XKohgesgG+dmE rKOkscfeyE6LAVCiXxB2IRt1p4o4ca+oNuuKpVzhi0yhnsHjw+CXUG+JgfIbF3Dztn B8XQNg/sdY2QQXn7bSVVq1G/XcWAjBnlLOfsuFP8Zm8Lw7NrDfVOjBuwOec7ceiDqY yJY24GKOh4+OjurOobQ02HOq6Nz2KZBYCDCJy0VnOPW0hSl7UUUPWHFj0mPXXvQJkL UQyhmG7sO+XtCQcM7gXodjjE8UZtNlXo1c8VWXu53syVXgRG05v4ABpBUsUeU18aba mqKRsgOjVlc8g== Date: Fri, 11 Jul 2025 02:19:49 +0200 From: Alejandro Colomar To: Linus Torvalds Cc: linux-mm@kvack.org, linux-hardening@vger.kernel.org, Kees Cook , Christopher Bazley , shadow <~hallyn/shadow@lists.sr.ht>, linux-kernel@vger.kernel.org, Andrew Morton , kasan-dev@googlegroups.com, Dmitry Vyukov , Alexander Potapenko , Marco Elver , Christoph Lameter , David Rientjes , Vlastimil Babka , Roman Gushchin , Harry Yoo , Andrew Clayton , Rasmus Villemoes , Michal Hocko , Al Viro , Martin Uecker , Sam James , Andrew Pinski Subject: Re: [RFC v5 6/7] sprintf: Add [v]sprintf_array() Message-ID: References: <04c1e026a67f1609167e834471d0f2fe977d9cb0.1752182685.git.alx@kernel.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wxhooa7cq2eiokbj" Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 3DD0B160002 X-Stat-Signature: 1psa8r9h55hr5oced943owgg8tdqxt18 X-Rspam-User: X-HE-Tag: 1752193198-572104 X-HE-Meta: U2FsdGVkX19wYgIBDhYCoI3NDHGLDzXUWb8U8VMTg1ToiCDgFbnkR26N5+6+6w991v8R+oEfpVomEd4yFSbxgHUXo0HI+rNhY6AHoW5OMtRWdrMdIvEkVIh4am3yuWiOC0mLiX5gsbS9R40GsNYWDJYUFee3Bl6QJfA1pGmuHy6Ho3aszK6DMiVbgXqPF+kmIZQiNBj9ggqXiUddku/apRzUMu2he6sXwSLwSfpnLVIdpAqIoEYGcBGsXHIzIvHOR6WAzv+Rh0kmWWcRofQ6zKD/RmI8ZLAK7EwhOLhNC7xarh58unH07mrJPxoFkmWgH2TG1n8rqHrJ/Ys4dgEHB6+01vUbalMTJTZKBqHtC8ZD8ZIpoJ2aZz/0bXAU2zPaKFReUdaDjJ4YZunOXgT3qG1FKqqX3/u8ZrWP9TLULygu2KjghkiScp1cBdOLkMj4FVUIlN8wKwYXEjpYW7ZG3hIokyHZbBGyQ9z8dWqiySAQQX1C8jc1RE4/H6JK+3Cd9xvEUpA1fLvC9Y50BsshdgMt6+C8wo6Q6Oq7rJT3vFtmdlam1R2+UZzLa+IkV/iek/MMHXa56+RwF3RgZEGbZx7cJKQPGfrepY7vjndHTKKaSpbOM5IWLa4j1pHi6BRTk0IdtsOXbSCWhjYNQ0gnl7i0XXldE9p2pBGMR0U83CAdFaJKXez1hh1W2evSCRfLBwY0gHnWA8QhUT8dK0k6BpFLpERwvr+QLdEyfRMAXcD9qAPlvQpFUrUWaxmN5OCiTvWuLxNgi46e+tIbBBu7OI2Wg17j6k6kBMi9hd3JEMjFZMuRBzSKoQzFO7PCfu0AYDT5q7bEPnI48LrJP07VtNr4iBzOfyIUjuaOFkn8KHZQ2GboClEwPKOpeD6Bm7LN0e5L1CdnZrBGgDNIttUT08ZPKzqk7UtNfjQBddr4DfK+LPte93V2tJX9lup4JUYsFoucZJ3OL5jW+I7wP4/ zip/FIDx Aw68W8LWEGBH5fm3SPX1qGjJKebx6uCP0Nvxf1auE/ka277NTNRDDSfMrWhyj3ZVGTQT6NPjEnx3JPnUMq7s28zqQZ9h4LQ5cQAhGG4Ss8MVDdihfrv6Sm6J6xi9MMhobfRjN7PqpiSfsgYgb85FxmzyOZ/ipLDPDXJYMEph3WaQg3LjnETQoO5dv3K13KKNLbr9Tnzead0t6eQpMVbrfutrOcAa5Jo7+LEQNcIsf2/rApOTWrlZknOB7YD0hQeKoeF3vRFZKX021tIC4NF4Vm7zqAzk4WVDgaysehEO4Lp/OBMf7HJIzmELg+M0+wice+UFkZRYec2tP+L0wRMPhS1gq2K6ju7UVV4SXgYKCsC9/WZXbj2BQUrVQKD5z2IU1oweFXNMliAstlBsT02veZQMPwQ59oTSF48+B/WMgLdWP+NsREslJ6hOY0FAbp4liTWZAmtQWaKhGf2AYMhWxkemvW+1ezqTV8crq6LSLMc0gGWqRt19quTHWWZKD/WO1o2sMAevCrdq8P4PXXOi4VP9+Dw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --wxhooa7cq2eiokbj Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable From: Alejandro Colomar To: Linus Torvalds Cc: linux-mm@kvack.org, linux-hardening@vger.kernel.org, Kees Cook , Christopher Bazley , shadow <~hallyn/shadow@lists.sr.ht>, linux-kernel@vger.kernel.org, Andrew Morton , kasan-dev@googlegroups.com, Dmitry Vyukov , Alexander Potapenko , Marco Elver , Christoph Lameter , David Rientjes , Vlastimil Babka , Roman Gushchin , Harry Yoo , Andrew Clayton , Rasmus Villemoes , Michal Hocko , Al Viro , Martin Uecker , Sam James , Andrew Pinski Subject: Re: [RFC v5 6/7] sprintf: Add [v]sprintf_array() References: <04c1e026a67f1609167e834471d0f2fe977d9cb0.1752182685.git.alx@kernel.org> MIME-Version: 1.0 In-Reply-To: On Fri, Jul 11, 2025 at 01:23:56AM +0200, Alejandro Colomar wrote: > Hi Linus, >=20 > [I'll reply to both of your emails at once] >=20 > On Thu, Jul 10, 2025 at 02:58:24PM -0700, Linus Torvalds wrote: > > You took my suggestion, and then you messed it up. > >=20 > > Your version of sprintf_array() is broken. It evaluates 'a' twice. > > Because unlike ARRAY_SIZE(), your broken ENDOF() macro evaluates the > > argument. >=20 > An array has no issue being evaluated twice (unless it's a VLA). On the > other hand, I agree it's better to not do that in the first place. > My bad for forgetting about it. Sorry. >=20 > On Thu, Jul 10, 2025 at 03:08:29PM -0700, Linus Torvalds wrote: > > If you want to return an error on truncation, do it right. Not by > > returning NULL, but by actually returning an error. >=20 > Okay. >=20 > > For example, in the kernel, we finally fixed 'strcpy()'. After about a > > million different versions of 'copy a string' where every single > > version was complete garbage, we ended up with 'strscpy()'. Yeah, the > > name isn't lovely, but the *use* of it is: >=20 > I have implemented the same thing in shadow, called strtcpy() (T for > truncation). (With the difference that we read the string twice, since > we don't care about threads.) >=20 > I also plan to propose standardization of that one in ISO C. >=20 > > - it returns the length of the result for people who want it - which > > is by far the most common thing people want >=20 > Agree. >=20 > > - it returns an actual honest-to-goodness error code if something > > overflowed, instead of the absoilutely horrible "source length" of the > > string that strlcpy() does and which is fundamentally broken (because > > it requires that you walk *past* the end of the source, > > Christ-on-a-stick what a broken interface) >=20 > Agree. >=20 > > - it can take an array as an argument (without the need for another > > name - see my earlier argument about not making up new names by just > > having generics) >=20 > We can't make the same thing with sprintf() variants because they're > variadic, so you can't count the number of arguments. And since the > 'end' argument is of the same type as the formatted string, we can't > do it with _Generic reliably either. >=20 > > Now, it has nasty naming (exactly the kind of 'add random character' > > naming that I was arguing against), and that comes from so many > > different broken versions until we hit on something that works. > >=20 > > strncpy is horrible garbage. strlcpy is even worse. strscpy actually > > works and so far hasn't caused issues (there's a 'pad' version for the > > very rare situation where you want 'strncpy-like' padding, but it > > still guarantees NUL-termination, and still has a good return value). >=20 > Agree. >=20 > > Let's agree to *not* make horrible garbage when making up new versions > > of sprintf. >=20 > Agree. I indeed introduced the mistake accidentally in v4, after you > complained of having too many functions, as I was introducing not one > but two APIs: seprintf() and stprintf(), where seprintf() is what now > we're calling sprintf_end(), and stprintf() we could call it > sprintf_trunc(). So I did the mistake by trying to reduce the number of > functions to just one, which is wrong. >=20 > So, maybe I should go back to those functions, and just give them good > names. >=20 > What do you think of the following? >=20 > #define sprintf_array(a, ...) sprintf_trunc(a, ARRAY_SIZE(a), __VA_ARGS= __) > #define vsprintf_array(a, ap) vsprintf_trunc(a, ARRAY_SIZE(a), ap) Typo: forgot the fmt argument. >=20 > char *sprintf_end(char *p, const char end[0], const char *fmt, ...); > char *vsprintf_end(char *p, const char end[0], const char *fmt, va_list = args); > int sprintf_trunc(char *buf, size_t size, const char *fmt, ...); > int vsprintf_trunc(char *buf, size_t size, const char *fmt, va_list args= ); >=20 > char *sprintf_end(char *p, const char end[0], const char *fmt, ...) > { > va_list args; >=20 > va_start(args, fmt); > p =3D vseprintf(p, end, fmt, args); > va_end(args); >=20 > return p; > } >=20 > char *vsprintf_end(char *p, const char end[0], const char *fmt, va_list = args) > { > int len; >=20 > if (unlikely(p =3D=3D NULL)) > return NULL; >=20 > len =3D vsprintf_trunc(p, end - p, fmt, args); > if (unlikely(len < 0)) > return NULL; >=20 > return p + len; > } >=20 > int sprintf_trunc(char *buf, size_t size, const char *fmt, ...) > { > va_list args; > int len; >=20 > va_start(args, fmt); > len =3D vstprintf(buf, size, fmt, args); > va_end(args); >=20 > return len; > } >=20 > int vsprintf_trunc(char *buf, size_t size, const char *fmt, va_list args) > { > int len; >=20 > if (WARN_ON_ONCE(size =3D=3D 0 || size > INT_MAX)) > return -EOVERFLOW; >=20 > len =3D vsnprintf(buf, size, fmt, args); > if (unlikely(len >=3D size)) > return -E2BIG; >=20 > return len; > } >=20 > sprintf_trunc() is like strscpy(), but with a formatted string. It > could replace uses of s[c]nprintf() where there's a single call (no > chained calls). >=20 > sprintf_array() is like the 2-argument version of strscpy(). It could > replace s[c]nprintf() calls where there's no chained calls, where the > input is an array. >=20 > sprintf_end() would replace the chained calls. >=20 > Does this sound good to you? >=20 >=20 > Cheers, > Alex >=20 > --=20 > --=20 --wxhooa7cq2eiokbj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEES7Jt9u9GbmlWADAi64mZXMKQwqkFAmhwWKUACgkQ64mZXMKQ wqlpAw//RdeLKJ5j+1r2HH8/miXwNO+Td73GjSPzQwmr0qv5WC6xsxijQKo0TqcZ hCbrsLeLZwNnEOqaOpGJzyUyROAoqpFDN6WsPa2N4ZvZdPoktE2PwkUzTcCscJG7 H/cZigcGgcQn2vNWM6RvGPCYrATCt7ijFBiuWsw42ojhDyLsF5WrmuzyD7z+zCOr /QuqtAH3pcX8lyyQQbKDqJKwoUDg0LR6jwnqYLuHPALsFH3h3NKKYanRGUqM5if3 FfN9XQu+YGRAAIl0LNPD97im7wi0EVdt0VmnmVB8B0SuS2aBE6tEyQoP90lSkY5h X37I7y7fyevgIl/nfsOaWWe6kYSbFqI2gIRh4YE0pN0eaYwyiclf7L+GHu8ZyZs+ ABUSDY9H7UThNDDC9mgZE4Cs9qTeCgAU0TllLqcrxVI15JsTriRIayp7dmCCZx4y eZg9sizGjpd6/X/s7F8w6yAWEvfVxt8Vcfm/064Z1/UtvkK/pRA04324lPZbVxVK l79tjbCwzIyfvtyhTPlCvCCOl5vSKGrsiTgxQDd0rGsMxj7bsmfehMAbvHIwYhGu dB2Mgil21Ce0I38Vx0oGdlaOQtXGSl1OCDttCcD+kkxjqfY0nJTX6psFr9DIQzhe BSdqZU3Kd2uKHWLPmxH0xAy7EzJ9iuECkOnGL3J9SKg8VLiWCg0= =KM9i -----END PGP SIGNATURE----- --wxhooa7cq2eiokbj--